Marriot Data Breach Also Included Passport Numbers and Payment Card Info of Customers

Last month, we reported that one of the biggest and most famous hotel chains in the world, Marriot, got hit by hackers. The attackers made off with valuable personal data of hundreds of millions of customers.

A recent press release issued by Marriot clarifies that the hackers actually stole less data than original reported but that data may have also included passport numbers of their customers.

The breach occurred in Marriot’s Starwood hotel reservation system back in 2014 but it was detected much later (September 8th, 2018).

Hack Details

Originally, the number of affected customer accounts was estimated to be 500 million, but the latest statement issued by Marriot mentions that the upper limit of affected accounts is 383 million. What’s more, that number also contains several duplicate accounts (according to Marriot) so the number of affected people might actually be lower than that.

The company has also phased out the Starwood Hotels’ reservation system, replacing it with their own system by the end of 2018. So if you’re worried about making a reservation at the Marriot after the hack, rest assured, it’s less likely to happen now.

The data also included around 25.55 million passport numbers, with 5.25 million unencrypted numbers and 20.3 million encrypted ones. Payment card information was also stolen, with an estimated 8.6 million encrypted card numbers hacked. Out of those, around 354,000 had not expired by September 2018 (when the breach was detected) and less than 2,000 unencrypted card numbers were stolen.

We want to provide our customers and partners with updates based on our ongoing work to address this incident as we try to understand as much as we possibly can about what happened. As we near the end of the cyber forensics and data analytics work, we will continue to work hard to address our customers’ concerns and meet the standard of excellence our customers deserve and expect from Marriott.

According to the New York Times, initial analysis of the breach revealed that Chinese entities may have been involved. Although China denied involvement in the incident, USA’s National Security Agency still warned about the rising number of cyber attacks originating from China. The FBI is also looking into the data breach.